Category: Website Design

This past weekend, we started receiving failed login attempt alerts from a few of the WordPress sites we manage. This is abnormal, because all of the sites we manage, are IP-restricted – i.e. You cannot access the login page unless you’re at an approved location, such as your store or home.

So it was definitely, interesting, to say the very least, to start seeing failed login attempts coming in…lots of them (automated via bots/’hacking’ tools):

[hr]

Click to Enlarge

[hr]

I verified that the sites’ login pages were in fact inaccessible from other IPs. So how the heck were *they* submitting a login? Even a temporary rename of /wp-admin and wp-login.php had no impact, so the logins clearly weren’t coming in through there.

One of the first things that came to mind, were plugins. We only utilize a strict list of plugins and we tend to avoid flooding WordPress sites with random plugins. The sites that were triggering these alerts though, were sites we inherited and did not originally design/build. All plugins are fully managed and updated on a daily basis, so it wasn’t so much an out of date plugin, but possibly one of the odd-ball plugins utilized by a previous developer. There were no consistencies across the sites experiencing this issue though and none of the plugins in question appeared to provide any form of authentication functionality.

What else is ‘listening’ in a WordPress installation? What has its ear against the Internet, waiting for incoming information? XML-RPC, which is utilized for remote publishing from mobile apps and Pingbacks from other blogs.

Sure enough, when inspecting the server logs, I found the offending IPs were in fact submitting /xmlrpc.php:

[hr]

Click to Enlarge

[hr]

Disable XML-RPC and voila, the login attempts stopped.

This isn’t a new attack, but XML-RPC was disabled by default until WordPress 3.5. It appears that with more and more site owners becoming aware of proper WordPress security and proper Web server security, *they* are looking for other ways in.

Things you can do to better-protect your WordPress site:

[hr]

[checklist]

Regularly update your plugins, as well as your WordPress installation. We work with so many store owners who have been paying someone to do this for them, only to find their WordPress site is still running 3.5.1 and plugins have never been updated!

Install a login limiter, as well as an intrusion detection system for your WordPress installation.

Or who, for that matter. If you think your website just sits there and serves pages to friendly visitors, you’re missing out on all the fun that’s going on behind the scenes. Properly securing a website + ongoing maintenance are critical to preventing your site from being “hacked”.

Websites are not a “set it and forget it” sort of thing. Server logs should be inspected on a regular basis. An Intrusion Detection System should be in place. Updates for software should be installed on a regular basis. WordPress must be updated and maintained and if you ignore this maintenance, you’ll have some friends coming to visit you…

CloudFlare IDS | Click to Enlarge

And what are these “friends” doing on your website? Just running some friendly Dictionary Attacks, that’s all…

Dictionary Attacks | Click to Enlarge

Attempting to log in as ‘admin’…

Admin Login Attempts

If you have a WordPress site, unsuccessful login attempts are not blocked, so someone can try to log in to your admin page over and over again without you ever knowing. That is, unless you have the right tools in place. At the very least, make sure you install the Limit Login Attempts plugin.

Security is a multi-layer approach, so don’t think there is just one simple solution to secure your website. Make sure you or someone is maintaining your website, installing the latest updates, pruning as many attack vectors as possible, checking your logs, etc.

I’ve been building consignment websites and websites in general for over a decade. I’ve stumbled, made mistakes, got hacked…and learned. When you’re responsible for a server, databases, and clients’ data, you have no choice but to learn what it takes to manage a server. From Apache to MySQL, to PHP versions and security best-practices, there’s a lot going on.

WordPress is software that you can install on a server and then have a professional website up and running relatively quickly. A template is then installed + configured and with a higher-end template, Shortcodes provide convenient access to styling the site and building a complete website. WordPress is famous for its “5 minute installation” and most anyone with a little time and some basic tech experience, can install WordPress. This seems to attract a lot of people who really don’t know what they’re doing.

This week alone, we’ve worked with two clients whose sites were not properly handled by their previous *Web Developers. One look at the WordPress installation and you could immediately see these were not professionals. One of their developers who was “moving on to do bigger and better eCommerce sites,” hadn’t even activated and registered Akismet. Scary to think that person is going on to manage sites that process credit card info.

Professional Web Developer

There are so many moving parts to a website, especially a WordPress site. Updates are constantly being released for WordPress, its plugins, templates, etc. In addition to the front end of your website, the components that run a WordPress website – e.g. Apache, MySQL, and PHP – all have to be properly secured and maintained.

The fact that pretty much anyone can slap a WordPress site together, is actually quite the troubling notion. Sites are hacked on a daily basis. Just choosing the wrong host could lead to your site getting hacked.

Here’s a small glimpse of some of the uglies that are rubbing up against your site on a daily basis…

Cloudflare IDS | Click to Enlarge

Just because WordPress is easy to install and easy to use, does not mean it’s easy. If the proper measures aren’t taken during installation and if your WordPress site is not properly maintained, you’re simply asking to be hacked. That can turn into a loss of real money for you, especially if your site ends up serving out malware. That could lead to your customers’ and consignors’ systems getting infected, which could really end up blowing up on a business. Also, a domain name that is associated with that kind of malicious activity can be blacklisted, effectively wiping your site off the web and making it virtually impossible to use for email.

Don’t get caught by surprise just because someone you know said they can “do WordPress” for you.

[hr size=’big’]

Is your website secure?Contact The Computer Peeps today for a free consultation.

The Computer Peeps can help whether you don’t have a website at all or you are looking to have your website redone! The Computer Peeps develop websites with functionality in mind. Consider a stylish and functional website done by The Computer Peeps if you can’t update your website whenever you please!